From 00c32c2cc609548c403f8977d38fece67deb5c29 Mon Sep 17 00:00:00 2001
From: evilsocket <evilsocket@gmail.com>
Date: Thu, 30 Aug 2018 12:30:08 +0300
Subject: [PATCH] new: net.sniff now will parse and print mDNS query responses

---
 modules/net_sniff_mdns.go    | 60 ++++++++++++++++++++++++++++++++++++
 modules/net_sniff_parsers.go |  2 ++
 2 files changed, 62 insertions(+)
 create mode 100644 modules/net_sniff_mdns.go

diff --git a/modules/net_sniff_mdns.go b/modules/net_sniff_mdns.go
new file mode 100644
index 00000000..ea1344a2
--- /dev/null
+++ b/modules/net_sniff_mdns.go
@@ -0,0 +1,60 @@
+package modules
+
+import (
+	"strings"
+
+	"github.com/bettercap/bettercap/core"
+	"github.com/bettercap/bettercap/packets"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+
+	"github.com/miekg/dns"
+)
+
+func mdnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
+	if udp.SrcPort == packets.MDNSPort && udp.DstPort == packets.MDNSPort {
+		var msg dns.Msg
+		if err := msg.Unpack(udp.Payload); err == nil && msg.Opcode == dns.OpcodeQuery && len(msg.Answer) > 0 {
+			m := make(map[string][]string)
+			for _, answer := range append(msg.Answer, msg.Extra...) {
+				switch rr := answer.(type) {
+				case *dns.A:
+					name := rr.Header().Name
+					if _, found := m[name]; found == false {
+						m[name] = make([]string, 0)
+					}
+
+					m[name] = append(m[name], answer.(*dns.A).A.String())
+
+				case *dns.AAAA:
+					name := rr.Header().Name
+					if _, found := m[name]; found == false {
+						m[name] = make([]string, 0)
+					}
+
+					m[name] = append(m[name], answer.(*dns.AAAA).AAAA.String())
+				}
+
+			}
+
+			for hostname, ips := range m {
+				NewSnifferEvent(
+					pkt.Metadata().Timestamp,
+					"mdns",
+					ip.SrcIP.String(),
+					ip.DstIP.String(),
+					nil,
+					"%s %s : %s is %s",
+					core.W(core.BG_DGRAY+core.FG_WHITE, "mdns"),
+					vIP(ip.SrcIP),
+					core.Yellow(hostname),
+					core.Dim(strings.Join(ips, ", ")),
+				).Push()
+			}
+
+			return true
+		}
+	}
+	return false
+}
diff --git a/modules/net_sniff_parsers.go b/modules/net_sniff_parsers.go
index d86821ef..58ed68fe 100644
--- a/modules/net_sniff_parsers.go
+++ b/modules/net_sniff_parsers.go
@@ -45,6 +45,8 @@ func udpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 
 	if dnsParser(ip, pkt, udp) {
 		return
+	} else if mdnsParser(ip, pkt, udp) {
+		return
 	} else if krb5Parser(ip, pkt, udp) {
 		return
 	} else if verbose {